s

windows/security/threat-protection/TOC.md

@@ -320,6 +320,7 @@
 ######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
 ######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
 ######## [Add or Remove machine tags](windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md)
+######## [Find machines by IP](windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md)
 
 ####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md)
 ######## [List MachineActions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)

windows/security/threat-protection/windows-defender-atp/TOC.md

@@ -317,6 +317,7 @@
 ####### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
 ####### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
 ####### [Add or Remove machine tags](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md)
+####### [Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md)
 
 ###### [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md)
 ####### [List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)

windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md

@@ -19,7 +19,7 @@ ms.date: 12/08/2017
 
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
-Adds or remove tag to a specific machine.
+- Adds or remove tag to a specific machine.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md)
@@ -80,9 +80,9 @@ Here is an example of the response.
 HTTP/1.1 200 Ok
 Content-type: application/json
 {
-    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity",
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity",
     "id": "863fed4b174465c703c6e412965a31b5e1884cc4",
-    "computerDnsName": "mymachine2.contoso.com",
+    "computerDnsName": "mymachine55.contoso.com",
     "firstSeen": "2018-07-31T14:20:55.8223496Z",
     "lastSeen": "2018-09-27T08:44:05.6228836Z",
     "osPlatform": "Windows10",

windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,100 @@
+---
+title: Find machines by IP API
+description: Find machines seen with IP in the time range of 15 minutes prior and after a given timestamp 
+keywords: apis, graph api, supported apis, get, machine, IP, find, find machine, by ip, ip
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Find machines by IP
+
+[!include[Prerelease information](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+- Find machines seen with IP in the time range of 15 minutes prior and after a given timestamp 
+- The given timestamp must be in the past 30 days.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+## HTTP request
+```
+GET /api/machines/findbyip(ip='{IP}',timestamp={TimeStamp})
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machines were found - 200 OK with list of the machines in the response body.
+If no machine found  - 404 Not Found.
+If the timestamp is not in the past 30 days - 400 Bad Request.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2018-09-22T08:44:05Z)
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "863fed4b174465c703c6e412965a31b5e1884cc4",
+            "computerDnsName": "mymachine33.contoso.com",
+            "firstSeen": "2018-07-31T14:20:55.8223496Z",
+            "lastSeen": null,
+            "osPlatform": "Windows10",
+            "osVersion": null,
+            "lastIpAddress": "10.248.240.38",
+            "lastExternalIpAddress": "167.220.2.166",
+            "agentVersion": "10.3720.16299.98",
+            "osBuild": 16299,
+            "healthStatus": "Active",
+            "isAadJoined": true,
+            "machineTags": [],
+            "rbacGroupId": 75,
+            "riskScore": "Medium",
+            "aadDeviceId": null
+        }
+    ]
+}
+```